EU AI Act in Spain: AESIA, Enforcement, and Business Obligations
AESIA enforces the EU AI Act in Spain from A Coruña. Covers the draft Organic Law, AEPD overlap, Article 99 fines, and the Dec 2027 high-risk deadline.
Spain moved faster than almost any other EU Member State when it came to building national AI governance infrastructure. In 2023, before the Regulation itself was finalised, Spain created a dedicated supervisory agency — AESIA — and volunteered to run the EU's first AI regulatory sandbox. That headstart matters commercially and practically: companies operating in Spain or selling AI systems into Spanish markets will encounter a regulator with real institutional appetite for enforcement, not one standing up from scratch.
The EU AI Act — Regulation (EU) 2024/1689 — applies directly in Spain without any national transposition. Article 5's prohibitions have been in force since 2 February 2025. What Spain is still doing nationally is passing the legislation that gives AESIA full sanctioning powers and embeds the Regulation's procedures into Spanish administrative law. This article covers where Spain stands, who enforces, how the rules interact with the GDPR and the LOPDGDD, the corrected timeline following the Digital Omnibus, and what companies should be doing now.
A Regulation, Not a Directive: No Spanish Transposition Required
The EU AI Act is a Regulation — it has direct effect in every Member State under Article 288 TFEU. No Spanish law is needed before the obligations apply. Article 5's prohibited practices have applied since 2 February 2025, and GPAI model obligations under Chapter V have applied since 2 August 2025. A Spanish company that has been waiting for national legislation before acting on Article 5 has been in breach for over a year.
What Spain must provide nationally is narrower: designated competent authorities under Article 70, a domestic procedural basis for investigations and administrative fines, and national measures for areas where the Regulation reserves discretion — how sectoral regulators coordinate, how AI literacy obligations under Article 4 are operationalised in public employment, and how the Article 71 EU database for high-risk systems interfaces with national registries.
AESIA already exists and already has surveillance and advisory powers. What the pending national law supplies is the formal sanctioning framework: the procedural rules under which AESIA can open investigations, issue binding decisions, and impose fines within the Article 99 ceilings.
Spain's National AI Law: The Draft Organic Law
Spain's vehicle for embedding the Regulation into national law is the Anteproyecto de Ley Orgánica para el Buen Uso y la Gobernanza de la Inteligencia Artificial — the draft Organic Law for the Good Use and Governance of Artificial Intelligence. The Council of Ministers gave it first approval on 11 March 2025, and the Government advanced the text again in 2026 as parliamentary processing continued.
The draft Organic Law does three things. It adapts Spanish administrative law to the Regulation — creating the domestic procedural rules for AESIA's investigations, appeals, and enforcement. It codifies the Article 5 prohibited practices as domestic offences, giving them full sanctioning force under Spanish law. And it sets the procedural framework within which AESIA applies the Article 99 penalty tiers.
What the Organic Law does not do is alter the substantive obligations or their dates. The Regulation sets what you must do and when. The national law determines how Spain investigates and fines. As of June 2026, the Organic Law has not yet been enacted — it remains in parliamentary processing. AESIA's advisory, audit, and market-surveillance functions are already operative; its ability to impose binding fines under the full Article 99 structure depends on the national law's enactment.
Companies should not treat the law's absence as a window. AESIA is active, the prohibitions are live, and the Organic Law's passage is expected before general application on 2 August 2026.
Who Enforces the EU AI Act in Spain?
AESIA: Spain's Dedicated AI Supervisory Authority
The Agencia Española de Supervisión de la Inteligencia Artificial (AESIA) was created by Royal Decree 729/2023, making it the first dedicated national AI supervisory agency in the EU — ahead of the Regulation's final adoption. AESIA is headquartered in A Coruña, Galicia, attached to the Ministry for Digital Transformation and the Digital Agenda. It serves as Spain's primary market surveillance authority, notifying authority, and single point of contact for the EU AI Office.
Once the Organic Law grants AESIA its full sanctioning powers, its enforcement toolkit includes: auditing technical documentation under Article 11, reviewing conformity assessments and Article 72 post-market monitoring records, issuing corrective orders and requiring withdrawals, and applying Article 99 fines. AESIA is already conducting market-surveillance activities, providing guidance, and running sandbox programmes; full enforcement authority awaits the Organic Law.
AESIA's early institutional posture is worth noting. It has been a participant in the EU AI Office's stakeholder processes and has publicly prioritised sectoral risk profiling and a sandbox-first engagement model with companies. Its enforcement approach is likely to start with guidance and corrective orders before escalating to maximum fines — but that is not a guarantee, and Article 5 violations are a different category.
AEPD: Data Protection Intersects with AI
The Agencia Española de Protección de Datos (AEPD) — Spain's data protection authority — is the second relevant authority for AI compliance. Where a high-risk AI system processes personal data, AEPD and AESIA have coordinated jurisdiction. AEPD has already established itself as one of Europe's more active and early-moving DPAs: it has issued fines under the GDPR in contexts relevant to AI (facial recognition, automated profiling, consent in digital marketing) and has published specific guidance on AI and data protection.
AEPD and AESIA have coordination mechanisms in place to avoid duplicative investigations. In practice, any high-risk AI system that processes personal data at scale — recruitment screening tools, creditworthiness scoring models, public-benefit eligibility systems, biometric categorisation — should expect the possibility of both authorities taking an interest. AEPD's track record of proportionate, frequent enforcement is a useful signal of what AESIA's enforcement culture may look like.
AI Office (Brussels): GPAI Direct Supervision
Spanish GPAI model providers — companies developing and placing general-purpose AI models on the market — are supervised directly by the EU AI Office in Brussels under Articles 53 and 55, not by AESIA. AESIA acts as Spain's national single point of contact for the AI Office. Spanish companies in the foundation-model or open-source model space should engage with the AI Office's codes-of-practice process; GPAI compliance is not a domestic Spanish regulatory matter.
How Spain's Enforcement Interacts with the GDPR and the LOPDGDD
Spain implemented the GDPR through the Ley Orgánica 3/2018 de Protección de Datos Personales y Garantía de los Derechos Digitales (LOPDGDD). The GDPR and the EU AI Act apply in parallel wherever an AI system processes personal data — which covers nearly every Annex III high-risk system in practice.
The most direct interaction is between GDPR Article 35 (the Data Protection Impact Assessment, DPIA) and Article 27 of the EU AI Act (the Fundamental Rights Impact Assessment, FRIA). Both must be completed before deployment for the systems they cover, both assess risks to fundamental rights, and both must be documented and available to supervisors. For a Spanish public body deploying an AI tool to assess benefit eligibility, a DPIA under GDPR and a FRIA under Article 27 are simultaneously mandatory. Article 27(4) allows the FRIA to build on an existing DPIA — in practice, the two assessments share a significant factual base and should be run as an integrated process rather than duplicated separately.
A second stack concerns automated decisions. GDPR Article 22 imposes restrictions and documentation duties on solely automated decisions that significantly affect individuals — and high-risk AI systems in areas like creditworthiness, employment, and public services frequently trigger it. Article 12 of the EU AI Act adds record-keeping requirements for high-risk systems. A Spanish lender deploying an AI creditworthiness model has simultaneous obligations under both instruments on logging, transparency, and the right to human review.
AEPD's published AI guidance already addresses this overlap. Companies operating in Spain should treat AEPD guidance as a live reference alongside AESIA's own publications.
The EU AI Act Timeline as It Applies in Spain
| Date | What applies |
|---|---|
| 2 February 2025 | Article 5 prohibited practices and Article 4 AI literacy — in force, enforceable now |
| 2 August 2025 | GPAI obligations (Chapter V, Articles 51–56), governance, AI Office, Article 99 penalties |
| 2 August 2026 | General application including Article 50 limited-risk transparency (chatbots, deepfakes, synthetic-content marking) |
| 2 December 2027 | Stand-alone high-risk AI systems (Annex III list) — deferred under the Digital Omnibus |
| 2 August 2028 | High-risk AI as safety components of Annex I regulated products — deferred under the Digital Omnibus |
Two points deserve particular emphasis for companies in Spain.
Article 5 is already in force and AESIA is already active. Prohibited practices — biometric categorisation by sensitive characteristics outside permitted exceptions, real-time remote biometric identification in public spaces, social scoring, and manipulation exploiting personal vulnerabilities — have been illegal since 2 February 2025. Any company whose AI touches those categories should have completed its review long before now.
The high-risk deadline is no longer August 2026. Under the Digital Omnibus — the Commission amendment package for which Parliament and Council reached political agreement on 7 May 2026 — stand-alone Annex III high-risk systems now have until 2 December 2027, and high-risk AI embedded in Annex I regulated products has until 2 August 2028. That is not a reprieve. Building a complete Article 9 risk management system, an Annex IV technical documentation pack, Article 14 human oversight controls, and a conformity assessment under Article 43 takes well-resourced organisations six to twelve months of sustained work.
Penalties: What Companies in Spain Face
The penalty framework is Article 99 of the Regulation. Spain's Organic Law will create the domestic procedural basis for enforcement within those ceilings, but it cannot set higher maximums — the ceilings are fixed by EU law. There are three tiers:
- €35,000,000 or 7% of total worldwide annual turnover (whichever is higher) — for violations of the Article 5 prohibitions. This has been the applicable maximum since 2 August 2025, when Article 99 penalties entered force.
- €15,000,000 or 3% — for non-compliance with most other obligations: high-risk AI requirements (Articles 9–15), provider obligations (Article 16), deployer obligations (Article 26), and Article 50 transparency duties.
- €7,500,000 or 1% — for supplying incorrect, incomplete, or misleading information to notified bodies or competent authorities.
For smaller companies, Article 99(6) provides an important proportionality protection: for SMEs and start-ups, the fine is capped at the lower of the fixed amount or the percentage. A Spanish company with €4 million annual turnover cannot face a €15 million fine for a high-risk obligation breach — 3% of €4 million is €120,000, and that is the applicable ceiling.
These are maximums, not defaults. AESIA will apply proportionality factors — duration of infringement, degree of responsibility, cooperation with the investigation — before arriving at a figure. Spain's Organic Law may add procedural detail within those ceilings, but it cannot increase them.
GPAI-specific fines are a separate instrument: up to €15 million or 3%, imposed by the Commission directly on GPAI model providers under Article 101.
Spain-Specific Compliance Considerations
The EU's First AI Regulatory Sandbox
Spain ran the EU's first AI regulatory sandbox pilot, hosted by AESIA and launched before the Regulation's final adoption. The EU AI Act formalises sandbox access under Articles 57–59: each Member State must establish a national sandbox by 2 August 2026, with priority and free access for smaller companies. Spain is ahead of schedule here. Companies developing novel AI systems — particularly in sensitive Annex III areas — should consider sandbox participation before deployment. AESIA's sandbox engagement is genuine, not performative, and the structured testing environment can generate documentation that informs the Article 11 technical file.
Public Sector: Mandatory FRIA and High Visibility
Spanish public bodies — central ministries, autonomous community administrations, local councils, public employment services — deploy AI in several of the Annex III categories with the highest societal stakes: benefit eligibility, border processing, judicial assistance, and law enforcement risk assessment. Article 27 requires deployers who are public bodies (or act in the public interest) to complete a FRIA before putting a high-risk AI system into service. The assessment must be documented, updated when the deployment context changes materially, and available for AESIA inspection.
AESIA's enforcement focus is likely to land on public-sector deployments first — high visibility, societal impact, and the political accountability that makes early cases instructive for the wider market.
Deployer vs. Provider: The Article 25 Risk for Spanish Customisers
Most Spanish companies deploying third-party AI tools are deployers under Article 26. But companies that fine-tune vendor AI models on proprietary data, modify their parameters, or integrate third-party AI under their own branding can cross the Article 25 line into provider status — with the full Article 16 obligation stack, including Annex IV technical documentation, Article 43 conformity assessment, and Article 72 post-market monitoring.
This is particularly relevant for Spain's growing SaaS and technology sector, where it is common to build customer-facing products on top of third-party AI systems. If your company has wrapped, configured, or substantially modified a vendor AI tool and markets it under its own name, the Article 25 provider analysis is not optional.
AESIA's Likely Early Enforcement Focus
AESIA has signalled a sectoral, risk-based approach to supervision. The areas most likely to attract early enforcement attention are: prohibited practices (Article 5) involving biometric systems in public or employment contexts; public-sector high-risk deployments lacking the mandatory FRIA; and Article 50 transparency failures once general application commences in August 2026. Spain's AEPD track record — frequent, proportionate, early enforcement — is the relevant precedent.
How Confir Helps Companies in Spain
Spanish compliance teams face the same documentation challenge as the rest of the EU: Article 9 risk management records, Annex IV technical documentation, Article 27 FRIAs, conformity assessment preparation under Article 43, Article 72 post-market monitoring logs, and an AI inventory to underpin all of it.
Confir is an EU-hosted compliance tool designed specifically for this work. Its classification engine is rule-based and deterministic — it encodes Articles 5 and 6 with Annex III logic in explicit rules, so the same intake always produces the same finding, with a human-readable explanation of which rule fired. It generates the full Annex IV technical documentation pack, the Article 47 / Annex V Declaration of Conformity, and the Article 27 FRIA. The compliance assessment spans four structured areas: risk classification (AIRC), data and technical robustness (AITR), transparency and human oversight (AITO), and governance and post-market monitoring (AIGM). Self-serve from €600 per year, no consulting engagement required.
What Companies in Spain Should Do Now
Immediately (Article 5 obligations already apply): Audit any AI system that might involve biometric categorisation by sensitive characteristics, social scoring, subliminal manipulation, exploitation of personal vulnerabilities, or real-time biometric identification in public spaces. If it fits an Article 5 category and no exemption applies, stop using it. AESIA has the authority to act on these now, even before the Organic Law is enacted.
Before 2 August 2026 (Article 50 transparency): Any AI system that interacts with natural persons — chatbots, voice assistants, AI-generated content tools — must comply with Article 50's disclosure and labelling requirements. Users must know when they are interacting with AI, when content is synthetically generated, and when emotion recognition is in use. This deadline has not been deferred.
2026–2027 (high-risk preparation for Annex III systems): Companies with stand-alone Annex III systems have until 2 December 2027 under the Digital Omnibus deferral. Use the time well: build the AI inventory and classification, apply the Article 6(3) filter to identify which systems genuinely land in the high-risk category, assign provider and deployer roles under Articles 16 and 26, and begin Annex IV documentation. Public-body deployers should initiate the Article 27 FRIA process now.
Ongoing: Monitor the Organic Law's progress through the Spanish parliament. Follow AESIA's published guidance — it is substantive and will signal enforcement priorities. If your company has AI systems with GDPR implications, coordinate the Article 27 FRIA and GDPR Article 35 DPIA as an integrated process.
Frequently Asked Questions
Who enforces the EU AI Act in Spain?
AESIA (Agencia Española de Supervisión de la Inteligencia Artificial) is Spain's primary market surveillance authority and single point of contact for the EU AI Office, designated by Royal Decree 729/2023. AEPD (Agencia Española de Protección de Datos) has coordinated jurisdiction where high-risk AI processes personal data. The EU AI Office in Brussels directly supervises GPAI model providers under Articles 53 and 55.
What is AESIA and where is it based?
AESIA is Spain's dedicated AI supervisory agency, created by Royal Decree 729/2023 — the first such agency in the EU. It is headquartered in A Coruña, Galicia, and attached to the Ministry for Digital Transformation. Once Spain's pending Organic Law is enacted, AESIA will have full powers to audit technical documentation, review conformity assessments and Article 72 post-market monitoring records, issue corrective orders, and apply Article 99 fines. AESIA is already operationally active in market surveillance, guidance, and sandbox activities.
Has Spain passed a national AI law?
Not yet as of June 2026. Spain's Council of Ministers gave first approval to the draft Organic Law for the Good Use and Governance of Artificial Intelligence on 11 March 2025, and the Government advanced the text in 2026. The Organic Law remains in parliamentary processing. It does not change what obligations apply or when — those are set by Regulation (EU) 2024/1689 — but it will give AESIA full sanctioning powers once enacted.
What are the EU AI Act fines for companies in Spain?
Article 99 sets three tiers: €35 million or 7% of worldwide annual turnover for Article 5 prohibition violations; €15 million or 3% for most other obligations including high-risk AI requirements, provider and deployer duties, and Article 50 transparency; and €7.5 million or 1% for supplying incorrect or misleading information to authorities. For SMEs and start-ups, Article 99(6) caps fines at the lower of the fixed amount or the percentage. Spain's Organic Law adds procedural detail within these ceilings but cannot raise them.
Does the AEPD or AESIA regulate AI in Spain?
Both, in overlapping ways. AESIA is the primary EU AI Act market surveillance authority. AEPD retains jurisdiction over data protection under the GDPR and LOPDGDD, and has coordinated authority wherever a high-risk AI system processes personal data. The two agencies have coordination mechanisms to prevent duplicative investigations, but companies with data-intensive AI deployments should be prepared for both authorities to scrutinise the same system.
When do high-risk AI obligations apply in Spain?
Under the Digital Omnibus amendment (political agreement reached 7 May 2026), stand-alone high-risk AI systems listed in Annex III have until 2 December 2027. High-risk AI embedded in Annex I regulated products has until 2 August 2028. Article 5 prohibitions have applied since 2 February 2025 and Article 50 limited-risk transparency obligations apply from 2 August 2026.
Does the EU AI Act require transposition into Spanish law?
No. As an EU Regulation, Regulation (EU) 2024/1689 has direct effect in Spain under Article 288 TFEU. Spanish companies do not wait for national legislation before obligations apply. The pending Organic Law provides the domestic enforcement machinery — investigation procedures, appeal routes, sanctions process — but the substantive obligations and their dates come from the Regulation itself.
Related guides
- EU AI Act in Germany: Enforcement and Obligations
- What is the EU AI Act?
- EU AI Act penalties: Article 99 explained
- EU AI Act timeline and deadlines
- Annex III: high-risk AI use cases
- Deployer obligations under Article 26
- Public sector AI compliance and the FRIA
- EU AI Act extraterritorial scope
Manage your EU AI Act compliance in one place
Confir automates risk classification, technical documentation, and audit trails for any company. No consultants. No 6-month projects. 7-day free trial.
Start free trial →